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The two levels of data and actions on those data provided by the separation between equations and 
rules in rewriting logic are completed by a third level of strategies to control the application of 
those actions. This level is implemented on top of Maude as a strategy language, which has been 
successfully used in a wide range of applications. First we summarize the Maude strategy language 
design and review some of its applications; then, we describe a new case study, namely the description 
of completion procedures as transition rules + control, as proposed by Lescanne. 

1 Introduction 

Strategies are pervasive in Computer Science; we have, among many others, control strategies, reduction 
strategies, deduction strategies, rewriting strategies, narrowing strategies, theorem-proving strategies, e- 
learning strategies, etc. This is just a reflection of the fact that strategies are essential ingredients in game 
and problem-solving. In general, in many settings we can identify three levels in the development of the 
solution for a given problem: 

• definition of the data involved in the problem, 

• identification of the basic actions that manipulate those data, and 

• strategies to specify how those basic actions must be used to reach the desired solution. 

For example, in the setting of business process modeling, those three levels correspond to the data 
(clients, reservations, money, etc.), the business activities or web services involved, and the composi- 
tion of such activities or services to design more complex interactions through languages such as BPEL 
fill and BPMN lfl3l . 

Since its introduction by Meseguer in the early nineties [ 39 ] , rewriting logic addressed the separation 
between the first two levels above by distinguishing at the logic level equations from rules. Equations 
are used to define data (possibly including states), while rules are used to define transitions, activities, 
actions, and so on, that use data and allow to move from one state to another. Different specification 
languages are directly based on rewriting logic, including ELAN [9, 8] and Maude ll20l [191 ; in those 
languages, the distinction between equations and rules is emphasized by requiring, although both are 
implemented in terms of rewriting, equations to be confluent and terminating (and thus, any reduction 
strategy will give rise to the same unique result), while rules need not be either confluent or terminating. 
Then, if the user is interested in controlling the application of rules to avoid undesired directions, either 
the control is introduced into the rules in an ad hoc way depending on the problem, or it is necessary to 
introduce somehow the third level above to control the rule application by means of strategies. In the 
case of ELAN, this was part of its design, so that strategies become an essential part of the ELAN system, 
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which provides a basic set of strategies which can be used when writing rewrite rules, in such a way that 
at the specification level it is not enforced a separation between rules and strategies. On the other hand, 
in the case of Maude, for a while the introduction of explicit strategies was avoided by means of its direct 
access to the metalevel. Indeed, the Maude system provides rewrite commands for getting only an 
execution path, as well as a search command for exploring all possible execution paths from a starting 
term [19]; if one is interested in the results of only some execution paths satisfying some constraints, 
these can typically be specified at the metalevel, where both equations and rules become simply more 
data and can be manipulated in different ways. Even more, several strategy languages at the metalevel 
have been considered for different applications, such as, for example 11211 for completion. 

Taking into account our own previous experience designing strategy languages in Maude, and also 
from the experience of other languages like the already mentioned ELAN, TOM 0, and Stratego |j47ll48l 
we decided to design a strategy language for Maude ll36l . to be used at the object level instead of at the 
metalevel, thus avoiding the need to know this more complex framework, and completing at the same 
time in the case of Maude the third level in problem solving as described above. 

The Maude strategy language allows the definition of strategy expressions that control the way a term 
is rewritten. Differently from ELAN, our design was based on a strict separation between the rewrite 
rules and the strategy expressions, that are provided in separate modules. Thus, in our language it is not 
possible to use strategy expressions in the rewrite rules of a system module. A strategy is described as 
an operation that, when applied to a given term, produces a set of terms as a result, given that the process 
is nondeterministic in general. The basic strategies consist of the application of a rule (identified by the 
corresponding rule label) to a given term, and allowing variables in a rule to be instantiated before its 
application by means of a substitution. For conditional rules, rewrite conditions can be controlled also by 
means of strategies. Basic strategies are combined by means of, among others, typical regular expression 
constructions (concatenation, union, and iteration), if-then-else, combinators to control the way subterms 
of a given term are rewritten, and recursion [36]. 

Since its proposal, the language has been successfully applied to a wide range of examples, from 
operational semantics representations to the formalization of web services; in particular, in the context of 
business process modelling that we have mentioned above, the Maude strategy language has been used 
to represent in Maude fragments of BPEL (381 and also of BPMN 1251 . 

In the first part of this paper, after a quick introduction to Maude, we summarize the Maude strategy 
language design, by reviewing its syntax and set-theoretic semantics in Section [3] and then survey the 
main applications in Section [4] In the second part of the paper, Section [5] we present a new case study, 
namely the description of completion procedures as transition rules + control, as proposed by Lescanne 
in ||32l . Equational systems are represented as data that is going to be manipulated by rewrite rules imple- 
menting the completion inference rules, following a well-known approach. In order to get a completion 
algorithm, one needs to apply these rules in a controlled way. In his paper, Lescanne does this by means 
of CAML programs, while our approach is more abstract, emphasizing the fact that inference rules do 
not change at all in the different algorithms. 

2 Maude in a nutshell 

In Maude the state of a system is formally specified as an algebraic data type by means of an equational 
specification. Maude uses a very expressive version of equational logic, namely membership equational 
logic [11]. In this kind of specifications we can define new types (by means of the keyword sort); 
subtype relations between types (subsort); operators (op) for building values of these types, giving 
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the types of their arguments and result, and which may have attributes as being associative (assoc) 
or commutative (comm), for example; equations (eq) that identify terms built with these operators; and 
memberships (mb) t : s stating that the term t has sort s. Both equations and memberships can be condi- 
tional. Conditions are formed by a conjunction (written A) of equations and memberships. Equations 
are assumed to be confluent and terminating, that is, we can use the equations from left to right to reduce 
a term f to a unique (modulo the operator attributes such as associativity or commutativity) canonical 
form t' that is equivalent to t, i.e. they represent the same value. 

The dynamic behavior of a system is specified by rewrite rules of the form 

I : t — y t' if (f\ Ui = Vi) A (f\ Wj : Sj ) A {/\pk — > qu) 

i j k 

that describe the local, concurrent transitions of the system. That is, when part of a system matches the 
pattern t and the conditions are fulfilled, it can be transformed into the corresponding instance of the 
pattern t' . 



2.1 Crossing the river 

This example is taken from [20, Section 7.8], although the presentation here is slightly different. 

A shepherd needs to transport to the other side of a river a wolf, a goat, and a cabbage. He has only 
a boat with room for the shepherd himself and another item. The problem is that in the absence of the 
shepherd the wolf would eat the goat, and the goat would eat the cabbage. 

We represent with constants left and right the two sides of the river. The shepherd and his belong- 
ings are represented as objects with an attribute indicating the side of the river in which each is located 

and are grouped together with a multiset operator . The rules represent how the wolf or the goat eat 

and the ways of crossing the river allowed by the capacity of the boat; an auxiliary change operation is 
used to modify the corresponding attributes. 

mod RIVER-CROSSING is 
sorts Side Group . 
ops left right : -> Side . 
op change : Side -> Side . 

ops s w g c : Side -> Group . shepherd, wolf, goat, cabbage 

op : Group Group -> Group [assoc comm] . 



vars S S' : Side . 

eq change (left) = right . 

eq change (right) = left . 



crl [wolf-eats] : w(S) g(S) s(S') => w(S) s(S') if S =/= S' . 
crl [goat-eats] : c(S) g(S) s(S') => g(S) s(S') if S =/= S' . 
rl [shepherd-alone] : s(S) => s (change (S)) . 
rl [wolf] : s(S) w(S) => s(change(S)) w(change(S)) . 
rl [goat] : s(S) g(S) => s(change(S)) g(change(S)) . 
rl [cabbage] : s(S) c(S) => s (change (S)) c (change (S)) . 
endm 

We want to know if there is a way the shepherd can safely take his belongings to the other side. But 
if we search if a state where everybody is on the right is reachable from a state where everybody is on 
the left, we cannot be sure that an intermediate state where, for example, the wolf has the posibility of 
eating but it has not eaten, is also reached. That is, with the rewrite or search commands of Maude we 
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cannot ensure that the priority of the first two rules is taken into account. In Section 3.9 we will present 
a strategy that ensures that priority. 

3 The Maude strategy language 

In this section we describe the syntax of our strategy language and its set-theoretic semantics. A strategy 
is described as an operation that, when applied to a given term, produces a set of terms as a result, 
given that the process is nondeterministic in general. If the strategy fails (it cannot be applied to the 
given term), the empty set of results is returned. Otherwise, we say that the strategy succeeds (possibly 
returning several results). For the strategies of a rewrite theory ffl with signature £ we have a function 

_@_ : Strat x T Z (X) — ► &>(T Z (X)), 

where T Z (X) denotes the set of Z-terms with variables in X. This function has an obvious extension to a 
function 

_@_ : Strat x ^(Tz(X)) — ► ^(Tz(X)), 
where, if a G Strat and U C T Z (X), we have o@U = \J teU o@t. 

3.1 Idle and fail 

The simplest strategies are the constants idle and fail. The first always succeeds, but without mod- 
ifying the term t to which it is applied, that is, idle @ t = {?}, while the second always fails, that is, 
fail®* = 0. 

3.2 Basic strategies 

The basic strategies consist of the application of a rule (identified by the corresponding rule label) to a 
given term. Rule variables can be instantiated before its application by means of a substitution, that is, 
a mapping of variables to terms, so that the user has more control on the way the rule is applied. In 
case of conditional rules, the default breadth-first search strategy is used for checking the rewrites in the 
condition. Therefore, if / is a rule label, s a substitution, and t a term, the semantics of / [si @t is the set 
of terms to which t rewrites in one step using the rule with label / instantiated by substitution s anywhere 
where it matches and satisfies the rule's condition. The substitution can be omitted if it is empty. 

For conditional rules, rewrite conditions can be controlled by means of strategy expressions. A strat- 
egy expression of the form / [si iO\ . . . a„} denotes a basic strategy that applies anywhere in a given state 
term the rule / with variables instantiated by means of the substitution s and using G\, . . . , G n as strat- 
egy expressions to check the rewrites in the condition of /. The number of rewrite condition fragments 
appearing in the condition of rule / must be exactly n for the expression to be meaningful. 

3.3 Top 

The most common case allows applying a rule anywhere in a given term, as explained above, but we 
also provide an operation to restrict the application of a rule only to the top of the term, because in some 
examples like structural operational semantics, the only interesting or allowed rewrite steps happen at the 
top. top(/3) applies the basic strategy j8 only at the top of a given state term. Note, however, that even 
applying a rule at the top is nondeterministic due to the possibility of multiple matches, because matching 
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takes place modulo the equational attributes of the operators, such as associativity, commutativity, or 
identity. 

3.4 Tests 

Tests are considered as strategies that check a property on a state, so that the strategy applied to a state 
is successful when the test is true on such a state, and the strategy fails when the test is false; moreover, 
in the first case the state is not changed. That is, for X a test and t a term, x @ t will evaluate to {t} if x 
succeeds on t, and to if it fails, so that x acts as a filter on its input. 

Since matching is one of the basic steps that take place when applying a rule, the strategies that 
test some property of a given state term are based on matching. As in applying a rule, we distinguish 
between matching anywhere and matching only at the top of a given term, amatch p s.t. C is a 
test that, when applied to a given state term t', is successful if there is a subterm of t' that matches the 
pattern p (that is, matching is allowed anywhere in the state term) and then the condition C is satisfied 
with the substitution for the variables obtained in the matching, and fails otherwise, match p s.t . C 
corresponds to matching only at the top. When the condition C is simply true, it can be omitted. 

3.5 Regular expressions 

Basic strategies can be combined so that strategies are applied to execution paths. The first strategy 
combinators we consider are the typical regular expression constructions: concatenation, union, and 
iteration. The concatenation operator is associative and the union operator is associative and conmutative. 
This commutativity of union provides a form of nondeterminism in the way the solutions are found. 

If a, a' are strategy expressions and t is a term, then (a ; a') @ t = a' @ (a @ t), (a I a') @ t = 
(a @ t) U (a' @ t), and o + @ t = (J (>1 a' @ t, where a 1 = a and a" = (a ; a" -1 ) for n > 1. Of course, 
a * = idle | a +. For example, a strategy of the form a ; x (with x a test) will filter out all those results 
from a that do not satisfy the test X. 

3.6 Conditional strategy and its derivations 

Our next strategy combinator is a typical if-then-else, but generalized so that the first argument is also a 
strategy following ideas from Stratego fl48l and ELAN ifTOl . 

The behavior of the strategy expression a ? a' : a" is as follows: in a given state term, the strategy 
a is evaluated; if a is successful, the strategy a' is evaluated in the resulting states, otherwise a" is 
evaluated in the initial state. That is 

(a ? a' : a") @ t = if [a @ t) ^ then a' @ (a @ t) else a" @ t fi. 

Note that, as mentioned above, in general the first argument is a strategy expression and not just a test. 
Since a test is a strategy, we have the particular case x ? a' : a" for a test X where evaluation coincides 
with the typical Boolean case distinction: a' is evaluated when the test x is true and a" when the test is 
false, taking into account that a test fails when false. 

Using the conditional combinator, we can define many other useful strategy combinators as derived 
operations, a orelse a' evaluates a in a given state; if such evaluation is successful, its results are the 
final ones, but if it fails, then a' is evaluated in the initial state. 



a orelse a' = O ? idle : a' 
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f = f(... g( ) ) — ►fC... g( ) ) 

i , i i t i 



matching ^ J substitution 

p = g(. . .pi . . .p„. . .) — > g( ) 

^^o^^^^^^c^^-^^ of subterms 

Figure 1: Behavior of the amatchrew combinator. 

not (a) reverses the result of evaluating a, so that not (a) fails when a is successful and vice versa. 

not (a) = a ? fail : idle 
An interesting use of not (a) is the following "normalization" (or "repeat until the end") operation a ! : 

a ! = a * ; not (a) 

try (a) evaluates a in a given state; if it is successful, the corresponding result is given, but if it 
fails, the initial state is returned. 

try(a) = a ? idle : idle 

Evaluation of test (a) checks the success/failure result of a, but it does not change the given initial 
state. 

test (a) =not(a) ?fail : idle 
Notice that test (a) = not (not (a) ) . 

3.7 Rewriting of subterms 

With the previous combinators we cannot force the application of a strategy to a specific subterm of the 
given initial term. We can have more control over the way different subterms of a given state are rewritten 
by means of the amatchrew combinator. 
When the strategy 

amatchrew p s.t. C by p\ using G\,..., p„ using o n 

is applied to a state term t, first a subterm of t that matches the pattern p and satisfies C is selected. Then, 
the patterns pi, . . . ,p„ (which must be disjoint subterms of p), instantiated appropriately, are rewritten 
as described by the strategy expressions G\,...,G n , respectively. The results are combined in p and then 
substituted in t, in the way illustrated in Figure [T] 

The strategy expressions G\, . . . , G n can make use of the variables instantiated in the matching, thus 



taking care of information extracted from the state term (see, for example, the strategies in Section 5.1 
The version matchrew works in the same way, but performing matching only at the top. In both 

cases, the condition can be omitted when it is true. 

The congruence operators used in ELAN and Stratego ifTOl 1481 are special cases of the matchrew 

combinator, as shown in 
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3.8 Strategy modules and commands 

Given a Maude system module M, the user can write one or more strategy modules to define strategies 
for M. Such strategy modules have the following form: 

smod STRAT is 
protecting M . 

including STRAT\ . ... including STRAT j . 
strat sid\ : T\i ... T\ m 9 K\ . 
sd sid\ (pn , . . . ,p im ) := (Ji . 

strat sid n : T n \ ... T np <§ K n . 
sd sid„(p„i , . . . ,p np ) := O n . 
csd sid n (p' nl ,.. . ,p' np ) := o' n if C . 
endsm 



where M is the system module whose rewrites are being controlled, STRAT i,. . . , STRAT j are imported 
strategy submodules, sid\ , . . . , sid n are identifiers, and G\ , . . . , (7„ are strategy expressions (over the lan- 
guage of labels provided by M), where the identifiers can appear, thus allowing (mutually) recursive 
definitions. A strategy identifier can have data arguments, that are terms built with the syntax defined in 
the system module M. When a strategy identifier is declared (with the keyword strat), the types of its 
arguments (if any) are specified between the symbols : and @. After the symbol @, the type of the terms 
to which this strategy can be applied is also specified. A strategy definition (introduced with the keyword 
sd) associates a strategy expression (on the righthand side of the symbol : =) with a strategy identifier 
(on the lefthand side) with patterns as arguments, used to capture the values passed when the strategy is 
invoked. These strategy definitions can be conditional (with keyword csd). A strategy module can be 
parametric (see 11231 for details). 



3.9 Example 

Here we show how to control by means of strategies the rewriting in module RIVER-CROSSING from 



Section 2.1 In EUl the first two rules were presented as equations in order to force Maude to apply 
them before any other rule if it is possible. But besides the fact that that solution introduced a coherence 
problem that had to be solved, it changed the semantics of the problem. Here we can guarantee the 
priority of these two rules by means of strategies. The eating strategy below performs all possible 
eatings; the oneCrossing strategy applies one of the other rules once; and the allCE strategy returns all 
the possible reachable states where eating has had the higher priority. That is, allCE ensures that when 
someone can eat, it eats for sure; we cannot recover from a disaster situation. Finally, if the strategy 
solve applied to the initial state (where we assume that all the objects are located on the left riverbank) 
returns a solution, it means that there is a safe way in which the shepherd can transport all his belongings 
to the other side of the river. 

smod RIVER-CROSSING-STRAT is 
protecting RIVER-CROSSING . 

strat eating : Group . 

sd eating := (wolf -eats I goat-eats) ! . 



strat oneCrossing : Group . 

sd oneCrossing := shepherd-alone I wolf I goat I cabbage 
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strat allCE 
sd allCE := 



: Group . 

(eating ; oneCrossing) * . 



sd solve := 
endsm 



strat solve 



: Group . 

allCE ; match (s (right) w(right) g(right) c (right)) . 



3.10 Implementations of the strategy language 

Using the metalevel mechanisms provided by the Maude system as a metalanguage, we have imple- 
mented a prototype of the Maude strategy language [36]]. The metalevel features of Maude allow the 
definition of operations to work with modules and computations as objects, as is the case with strategies. 
The prototype works internally with a labelled version of the computation tree obtained by applying a 
strategy to a term. The prototype is completed with a user interface providing commands to load mod- 
ules, execute strategy expressions on states, and show results. The prototype and some examples can be 
obtained from http : / /maude . sip . ucm . es/ strategies . 

After validating the language experimentally and reaching a mature language design, a direct imple- 
mentation of our strategy language at the C++ level, at which the Maude system itself is implemented, 
is currently being developed |[23l . This will make the language a stable new feature of Maude and will 
allow a more efficient execution. 

In the meantime, we have advanced on the semantic foundations of the Maude strategy language 
in ||37l . We have shown that a strategy language 5? can be seen as a rewrite theory transformation 
St i — y such that ^(M) provides a way of executing M in a controlled way. One such theory trans- 

formation for the Maude strategy language is presented in detail in ||37l , providing in this way a rewriting 
semantics for the strategy language; since this rewriting semantics is executable, we obtained a different 
metalevel implementation. We also studied in lf37l some general requirements for strategy languages. 
Some of these requirements, like soundness and completeness with respect to the rewrites in ffl, are ab- 
solute requirements that every strategy language should fulfill. Other more optional requirements, that 
we call monotonicity and persistence, represent the fact that no solution is ever lost. A future research 
direction is the increased performance of strategy evaluations through parallelism. The point is that in 
a term a @ t (where strategy a is being applied to term t) incrementally evaluates to a (possibly 
nested) set data structure, so that the natural concurrency of rewriting logic is directly exploitable in 
^{^) by applying different rules in different places of this data structure where solutions are generated. 
This naturally suggests a distributed implementation of strategy languages. 

4 Some applications 

We briefly present in this section several research areas where Maude's strategy language has been ap- 
plied successfully. 

Operational semantics Rewriting logic and Maude are a very well-known semantic framework 051 
RTTl . By using strategies, the semantics representations can be made more simple and powerful, by 
separating the representation of the semantic rules from the mechanism used to control how they have to 
be applied. A simple example with Milner's CCS semantics is illustrated in [36]. 
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In the ambient calculus JTTIl an ambient is a place limited by a boundary where computations take 
place. Its contents are a parallel composition of sequential processes and subambients; communication 
between processes is local, through a blackboard. The operational semantics for the ambient calculus 
consists of a set of structural congruence rules and a set of reduction rules, which can be represented 
in Maude by using strategies, as detailed in Il42l . It gives us some congruence rules for free (as the 
commutativity and associativity of some operators), and the rest of the congruence rules are implemented 
as Maude equations. The reduction rules are then represented as rewrite rules in Maude. However, the 
reduction relation of the calculus is not a congruence for all the operators. This means that we cannot 
freely use the rewrite rules, as Maude would apply them anywhere in a term; and we do not want them to 
be applied after some operators. This is one of the reasons why the definition of a strategy that controls 
the application of these rules is necessary. 

Eden [33] is a parallel extension of the functional language Haskell. On behalf of parallelism, Eden 
overrides Haskell's pure lazy approach, combining a non-strict functional application with eager process 
creation and communication. The operational semantics of Eden [26] is defined by means of a two- 
level transition system: the lower level handles local effects within processes, whereas the upper level 
describes the effects global to the whole system, like process creation and data communication. Then, 
the global evolution of the system is described by iteration of the scheduling rules and the sequential 
composition of other transitions. Thus the definition of the semantics itself imposes an order in the 
application of the semantic rules and the use of strategies is mandatory. The representation in Maude 
all of these rules and relations is studied in l28l . Most of the semantic rules are represented as rewrite 
rules and the transition relations that are defined as the concatenation or repetition of other relations 
are defined by means of strategies. But there are a few semantic rules that are more abstract in their 
mathematical formulation so they cannot be directly translated to rewrite rules. They are represented 
as (usually recursive) strategies that combine other strategies or rewrite rules. All of Eden's operational 
semantics has been represented at a quite abstract level, independently from factors such as the eagerness 
degree in the creation of new processes or the speculation degree. It was used to analyze algorithmic 
skeletons implemented in Eden in 11271 . 

Modular structural operational semantics (MSOS) is a framework that allows structural operational 
semantics specifications to be made modular in the sense of not imposing the redefinition of transition 
rules when an extension is made. MSOS can be implemented in Maude in a quite precise way |[T4l|40l . 
The Maude MSOS Tool (TBI, an executable environment for modular structural operational semantics, 
has been endowed with the possibility of defining strategies over its transition rules, by combining the 
Maude MSOS Tool with the Maude strategy language in ifTBI . One advantage of this combination is the 
possibility of executing Ordered SOS specifications Roll , including negative premises. 

Membrane systems A membrane consists of a multiset w of objects, a set R of evolution rules (which 
are ordered by a priority relation), and a control mechanism C describing the way in which the rules 
are used to modify the multiset w in an evolution step. Control mechanisms can be given by maximally 
parallel rewriting, maximally parallel rewriting with priorities, and maximally parallel rewriting with 
promoters and/or inhibitors. In [1J it is shown how Maude can be used to specify membrane systems 
and how the control mechanisms in membranes can be described by using strategies. The strategy-based 
rewrite semantics thus defined preserves the maximal concurrency expressed by the maximal parallel 
application of the evolution rules IT341 . This framework has been improved with the notion of strategy 
controllers Q, which allow to reason at the higher level of computation given by the evolution of the 
membrane systems. The intuition behind a strategy controller is that it decides which strategy is applied 
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in the current state. A prototype has been developed |2| by extending the implementation at the metalevel 
of Maude's strategy language (37] . 

Multi-agent systems One of the challenges in the design and development of multi-agent systems is to 
coordinate and control the behavior of individual agents. There are different approaches, from low level 
ones (e.g., channel-based coordination) to high level ones (e.g., normative artifacts). These normative 
artifacts observe the actions performed by individual agents, determine their effects in the environment 
(which is shared by all individual agents), determine the violations caused by performing the actions, and 
possibly, impose sanctions. In J5]|3l, the semantics of norm-based organization artifacts is specified by 
using Maude and its strategy language. Strategies are used as an alternative way to implement different 
normative artifacts without changing the semantics of the normative language. Thus, the normative multi- 
agent system is executed with respect to the transition rules which give the semantics of the normative 
language. However, how the system changes is described at an upper level by strategically instrumenting 
the transition rules. By using strategies there is a clear separation between executions and control. Timed 
choreographies are also considered in ||4). 

Other applications Maude's strategy language has also been applied to solve sudoku puzzles in Il44ll : 
to formalize web services composition in 1381 : to execute a rewriting logic representation of neural 
networks and the backpropagation learning algorithm in P31 ; to present a rule-based approach for the 
design of dynamic software architectures in |[T6l ; and to develop a specification of the connection method 
(a goal-directed proof procedure that requires a careful control over clause copies) for first-order logic in 
|[29l . Of course, there are surely more examples we are not aware of yet. 

5 Completion 

A completion procedure is a method used in equational logic to build from a set of (unordered) identities 
E an equivalent canonical set of rewrite rules R, i.e. a confluent, noetherian and interreduced set of 
rules used to compute normal forms. A basic completion procedure can be given by firstly orienting 
the identities in E (using a provided reduction order on terms) and then iteratively computing all critical 
pairs of the rewrite system obtained so far and adding to it oriented versions of all the non-joinable 
ones. In order to avoid the huge number of rules that this basic procedure usually generates, rules can 
be simplified by reducing them with the help of other rules. Following Bachmair and Dershowitz |6|, 
that method can be described by a set of inference rules (Figure [2]) that covers a wide range of different 
specific completion procedures. A specific completion procedure is obtained from that set of rules by 
fixing a strategy for rule application. 

The inference rules work on pairs (E,R) where £ is a finite set of identities (input identities or critical 
pairs that have not yet been transformed into rules) and R is a finite set of terminating rewrite rules^The 
goal is to transform an initial pair (Eq,®) into a pair (0,/?) such that R is convergent and equivalent to Eq. 

The inference rule DEDUCE derives an identity that is a direct consequence of rules in R, and adds 
it to E. A special, common case is adding a critical pair of R to E. The rule Orient takes an identity 
that can be ordered with the help of > and adds the corresponding rule to R. The rule Delete removes 
a trivial identity, and the rule Simplify-identity uses R to reduce identities. Both rules can be used 
together to remove joinable critical pairs. The rule R-SlMPLlFY-RULE reduces the righthand side of a 



Termination of R is ensured by a reduction order > that is given as an input to the completion procedure. 
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Figure 2: Inference rules for completion. 



rule. Since, by assumption, termination of R can be shown using >, we know that s -^- R t — > R u implies 
s > t > u. For this reason, s — > u can be kept as a rule. However, when reducing the lefthand side of a 
rule s — y t to u, it is not clear whether u > t is satisfied. Thus, the rule L-SlMPLlFY-RULE adds u « t as 
an identity. The notation s u is used to express that s is reduced by a rule I —yr ER such that / cannot 
be reduced by s — y t. 

As mentioned above, specific completion procedures can be obtained from the inference rules in 
Figure [2]by fixing a strategy for rule application. In the following sections we show how to use Maude's 
strategy language to represent several completion procedures described by Lescanne in l32l . ELAN JH 
has also been used to prototype completion algorithms in [31 ] by using strategies and constraints. Even 
Maude has already been used to represent Huet's completion algorithm [30], by using strategies defined 
at the metalevel in ETTl. 



In IT321 several algorithms for completion are presented using the functional programming language 
CAML. The main differences among the algorithms are the data structures on which the transition rules 
operate, and the control that describes the way the transitions rules are invoked. Here, we redo this 
work in Maude by using the proposed strategy language: the data structure is the term being rewritten, 
inference rules (transition rules in Lescanne's terminology) are represented as rewrite rules, and the 
control is represented as strategies applying the rules in a directed way. We consider three algorithms, 
as described by Lescanne: N-Completion, S -Completion, and ANS -Completion. Each algorithm is a 
refinement of the previous one, obtained by adding more components to the data structure, adapting the 
transition rules, and changing the control with the idea of making the algorithm more efficient. In this 
presentation we do not deal with the two unfailing completion algorithms also presented by Lescanne. 
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5.1 N-completion 

N-completion is a first improvement of the overly abstract inference rules in order to take the computation 
of critical pairs into account. For this algorithm, the data structure has three components: 

• E is a set of identities, either given identities or computed critical pairsj^] 

• T is a set of rules whose critical pairs have not been computed yet, and 

• R is another set of rules whose critical pairs have already been computed (marked rules in Huet's 
terminology 1301). 

The transition rules correspond to the inference rules but adapted to these three components. They 
are represented in Maude as follows: 

mod N-COMPLETION is 
pr CRITICAL-PAIRS . 

sort System . 

op <_,_,_> : R1S R1S EqS -> System . *** < R, T, E > 

var E : EqS . var r : Rl . vars R T : R1S . vars s t u : Term . 

rl [Deduce] : < R, T, E > => < R, T, E s =. t > . *** if s <— u — > t 

crl [Orient] : < R, T, E s =. t > => < R, T s -> t, E > if s > t . 

rl [Delete] : < R, T, E s =. s > => < R, T, E > . 

crl [Simplify] : < R, T, E s =. t > => < R, T, E u =. t > 
if u := reduce (s, R T) . 

crl [R-Simplify] : < R s -> t, T, E>=><Rs->u, T, E> 
if u := reduce (t, R T) . 

crl [R-Simplify] : < R, T s -> t , E > => < R, T s -> u, E > 
if u := reduce (t, R T) . 

crl [L-Simplify] : < R s -> t, T, E > => < R, T, E u =. t > 
if u := reduce>(s -> t, R T) . 

crl [L-Simplify] : < R, T s -> t , E > => < R, T, E u = . t > 
if u := reduce>(s -> t, R T) . 

rl [move] : < R, r T, E > => < r R, T, E > . 
endm 

The included module CRITICAL-PAIRS contains functions, defined at the metalevel, that compute 
critical pairs of a set of rules, or the reductions — >r (reduce) and (reduce>). Observe that the 
inference rule R- Simplify- RULE gives rise to two rewrite rules: one where the righthand side of a rule 
in the set R is simplified and another one where the righthand side of a rule in T is simplified. The same 



2 The fact that an identity is an unordered pair is represented in Maude by using an operator _= . _ with the commutative 
attribute. 
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happens with L-SlMPLlFY-RULE. The rewrite rule move will be used by the strategy to move a rule from 
set T to set rE 

The algorithm N-completion has essentially three steps, namely success, when T and E are empty, 
computing critical pairs after simplification of the rules, when E is empty, and orienting an identity into 
a rule after simplification of the identities, when E is not empty. In the orientation part, it could happen 
that by simplification all the identities disappear. In this case, one does nothing, that is just translated 
by a recursive call. This algorithm can be succinctly expressed by the following strategy module (the 
strategy identifier declarations have been omitted): 

smod N-COMPLETION-STRAT is 
protecting N-COMPLETION . 

sd N-COMP := success orelse deduce orelse orient . 

sd success := match < R, mtRlS, mtEqS > . 

sd deduce := match < R, r T, mtEqS > ; 
deduction ; 
simplif y-rules ; 
N-COMP . 

sd deduction := matchrew < R, r' T, E > by 

< R, r' T, E > using (add-crit-pairs (CP (r ' , R r')) ; 

move [r <- r']) . 

sd add-crit-pairs (mtEqS) := idle . 

sd add-crit-pairs (si =. tl E) := Deduce [s <- si ; t <- tl] ; add-crit-pairs (E) . 

sd simplif y-rules := (L-Simplify I R-Simplify) ! . 

sd orient := match < R, T, e E > ; 
simplify-eqs ; 

( (match < R, T, mtEqS > ; N-COMP) 
orelse (Orient ; N-COMP) ) . 

sd simplify-eqs := (Delete I Simplify) ! . 
endsm 

5.1.1 Example 

Let us consider the following set of equations 

{ g(*,y) ~ a,g(x,y) » h(x,y),h(x,y) « f(x),h(x,y) « f(y) } 

and the lexicographic path order induced by the precedence g > h > f > a. The basic completion 
procedure uses Orient to generate the rules 

{ g(x,y) -4 a,g(x,y) -)• h(x,y),h(x,y) ->■ f(x),h(x,y) -> f(y) } 

and then DEDUCE to compute the critical pairs a h(x,y) and f{x) m f(y). We can reproduce this 
behavior by using some of the previous strategies 

3 That is because the only way a strategy can modify the term being rewritten is by means of rewrite rules. 
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Maude> (srew < mtRlS, mtRlS, eqs > using Orient ! .) 
result System : 

< mtRlS, »g['x:S, 'y:S] -> 'a.S 'g['x:S, 'y :S] -> 'h['x:S, 'y:S] 

>h['x:S, 'y:S] -> 'f['x:S] 'h['x:S, 'y :S] -> 'f['y:S], mtEqS > 

Maude> (cont using deduction ! ; Delete ! . ) 
result System : 

< 'g['x:S, >y:S] -> 'a.S 'g['x:S, 'y:S] -> 'h['x:S, 'y:S] 
'h['x:S, 'y:S] -> >f['x:S] 'h['x:S, 'y:S] -> 'f['y:S], 

mtRlS, 'a.S =. 'h['xl:S, »yl:S] 'f['xl:S] =. 'f['yl:S] > 

where srew is the command for applying a strategy to a given term; the constant eqs represents the 
above set of equations; cont is the command used to apply a strategy to the term returned by the previous 
application; and all the terms are metarepresented. 

The basic completion procedure continues by trying to simplify and orient these critical pairs, but the 
terms in f(x) ps f(y) are irreducible and cannot be compared with any reduction order. So, the procedure 
fails. However, a h(x,y) can be oriented and used to compute new critical pairs that allow to reduce 
f(x) « f(y) to a trivial identity. The N-completion procedure is able to find this solution. 

Maude> (srew < mtRlS, mtRlS, eqs > using N-COMP .) 
result System : 

< 'f['x:S] -> 'a.S 'g['x:S, 'y:S] -> 'a.S 'h['x:S, 'y :S] -> 'a.S, mtRlS, mtEqS > 

5.2 S-completion 

The main aim of orienting identities is to use them to simplify whenever it is possible. However, N- 
completion makes a bad use of simplification. S-completion is an improvement of N-completion where 
a rule is used for simplification as soon as it has been generated. When an identity is oriented into a rule, 
it enters a set S where it is used to simplify all the other identities and rules. Thus, the data structure has 
now four components: 

• E is a set of identities, like in N-completion, 

• 5 is a (singleton or empty) set of oriented identities (rules) that are used to simplify other rules, 

• T is a set of rules already used for simplifying, but whose critical pairs have not been computed 
yet, and 

• R is another set of rules whose critical pairs have already been computed, like in N-completion. 

The only difference with the N-completion is the set S through which a rule has to go before entering 
T. The rewrite rules are modified to express this fact. We only show the rule that really changes (Orient) 
and a new rule that is used by the strategy to join the sets T and S. The rest of the rules are only modified 
by including the new set 5. 

mod S-COMPLETION is 
pr CRITICAL-PAIRS . 
sort System . 

op <_,_,_,_> : R1S R1S R1S EqS -> System . *** < R, T, S, E > 

crl [Orient] : < R, T, S, E s =. t > => < R, T, S s -> t, E > if s > t . 

rl [concatT&S] : < R, T, S, E > => < R, T S, mtRlS, E > . 
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[...] 
endm 

The simplification step is clearly distinguished from the three others. It is performed when S is not 
empty. The completion process ends when there are no more identities or rules in E, S or T. Again, we 
only show the strategies that really change. 

smod S-CDMPLETION-STRAT is 

sd S-CDMP := success orelse simplif y-rules orelse deduce orelse orient . 

sd success := match < R, mtRlS, mtRlS, mtEqS > . 

sd simplif y-rules := match < R, T, r S, E > ; 

(L-Simplify I R-Simplify) ! ; 
concatT&S ; 
S-COMP . 

sd deduce := match < R, r T, mtRlS, mtEqS > ; 
deduction ; 
S-CDMP . 

[...] 

endsm 

5.3 ANS-completion 

S-completion computes all the critical pairs between all rules in R and one rule in T. In order to apply 
simplification as soon as possible, it is better to compute the critical pairs between one rule in R and one 
rule in T at a time. A new set C is created to contain one rule extracted from T with which critical pairs 
with rules in R are computed. To keep track of the rules whose critical pairs are computed with the rule 
in C, R is split into two sets, A (for already computed) and N (for not yet computed). The data structure 
has now six components: 

• E is a set of identities, like in S-completion, 

• S is a set of simplifying rules, like in S-completion, 

• T is a set of rules coming from S and waiting to enter C, 

• C is a set that contains at most one rule and whose critical pairs are computed with one in N, 

• N h the part of R whose critical pairs have not been computed with C but whose critical pairs with 
AUN have been computed, and 

• A is a set whose critical pairs with A U N U C have been computed. 

The transition rules are trivially adapted to work with this new data structure, and two new rules are 
added. Rule AC2N joins the sets A and C with N and rule f illC extracts the smallest rule in T and puts 
it in C. 

mod ANS-CDMPLETION is 
pr CRITICAL-PAIRS . 
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sort System . 
op <_,_,_,_,_ 



> : R1S R1S R1S R1S R1S EqS -> System . *** < A, N, C, T, S, E > 



[...] 



rl [AC2N] 



< A, N, C, T, S, E > => < mtRlS, A N C, mtRlS, T, S, E > 



crl [fillC] 



] : < A, N, C, T, S, E > => < mtRlS, AN, r, T', S, E> 
if r := least-rule (T) /\ 
r T' : = T . 



endm 



The procedure has now six parts, namely success, simplification, orientation, deduction, internal 
deduction, and beginning of a new loop of computation of critical pairs. Deduction computes the critical 
pairs between the smallest rule in N and the rule in C, whereas internal deduction computes the critical 
pairs obtained by superposing the rule in C on itself. 

smod ANS-COMPLETION-STRAT is 

sd ANS-COMP := success orelse 



sd success := match ( < A, N, mtRlS, mtRlS, mtRlS, mtEqS > ) . 

sd deduce := match (< A, r N, r', T, mtRlS, mtEqS >) ; 
deduction ; 
ANS-COMP . 

sd deduction := matchrew < A, r' N, r' ' , T, S, E > s.t. r' := least-rule(r' N) by 
< A, r' N, r" , T, S, E > using (add-crit-pairs(CP(r ' ' , r')) ; 

move [r <- r '] ) . 

sd internal-deduction := ( matchrew < A, mtRlS, r', T, mtRlS, mtEqS > by 



6 Concluding remarks 

As another application of the Maude strategy language, we have described completion procedures as 
transition rules + control, following Lescanne's proposal P2l . Our version, using rewrite rules and 
declarative strategies instead of CAML programs, is more abstract and emphasizes the fact that inference 
rules do not change at all in the different algorithms. 



simplif y-rules orelse 

orient orelse 

deduce orelse 

internal-deduction orelse 
new-loop . 




sd new-loop := fillC ; ANS-COMP . 
[...] 
endsm 
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This new case study on top of a growing list of applications throughout the world, has confirmed that 
the design of the Maude strategy language is good enough to handle a variety of algorithms based on the 
transition rules + control paradigm, using Lescanne's words, or simply data + actions + strategies, using 
the well-known three-level approach to problem solving. 

As part of ongoing work, we are studying the integration of the strategies and model-checking fea- 
tures of Maude. Properties of rewriting systems expressed in linear temporal logic can be studied in 
Maude with the help of its integrated model checker I24ll20ll . This tool checks the temporal properties 
fulfilled by a transition system by considering all the possible executions from a given state; however, 
as described in this paper, we can be interested in using the Maude strategy language to control those 
executions and possibly to restrict them, thus modifying the transition system. Thus, we plan to study 
how to model check temporal formulas satisfied by systems controlled by strategies, thus combining the 
advantages of two quite useful Maude features for the specification of systems: model checking at the 
property level and strategies at the execution level. 
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